Hi, I have a "non standard" requirement to distribute my root certificate.
Typically a root certificate is distributed by either: a) The user navigates to a web site via HTTP to download the cer file (eg http:/bs.mit.edu/mitca.ca) (this replies using Content-Type: application/x-x509-ca-cert) b) The user navigates to website via HTTPS, gets a certificate warning error, and navigates to the root certificate and installs it certificate via the GUI. c) The user gets emailed/given the root certificate (in a .p7b / .cer) file, double clicks on it and installs it. Unfortunately, I need a solution other than any of the above (since I need to automate the process, I can have multiple root certificates, and only HTTPS is available). Therefore I need to find out how to either: 1. Configure IIS to send the root certificate when doing a HTTPS handshake: (The SSL and TLS standards do not require that a server sends the entire certificate chain. Here's a quote from the TLS standard: "Because certificate validation requires that root keys be distributed independently, the self-signed certificate which specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case".) 2. Internet Explorer somehow gets the root certificate. I would like to find out what message the client sends to the server to request this. As this is in SSL, its hard to trace it. I'm using the C# Security Library from Mentalis.org, so once the server sends the certificate, I should be fine with installing it. If anyone could help with point 1 or 2, that would be great! Sorry if this is slightly off the topic, but I'm not sure where else I can post this question... Jonni
